21st Century Oncology was asked by the Federal Bureau of Investigation to delay notification of patients that there information had been taken when a third-party gained unauthorized access to one of its databases, the cancer clinic said in a Wednesday notification letter to patients.
The information pilfered in the Oct. 3 breach included names, Social Security numbers, diagnoses, treatment data, insurance details and doctors' names – information that Kevin Watson, CEO of Netsurion “could unlock the potential for significant medical fraud.”
If, as 21st Century Oncology claimed, “insurance plan information was stolen along with identity information, data thieves would have a good indicator on which identities hold a higher value, based on the value of the insurance plan,” Watson said in comments emailed to SCMagazine.com. “If thieves focus on the individuals with the highest plan costs, these are likely to be people who are more established in their lives, have families, higher incomes and better credit, meaning their identities are worth even more on the black market.”
The FBI alerted the clinic to the cyber trespass on Nov. 15 but asked for its cooperation in keeping the breach under wraps until the agency could wrap up its investigation and 21st Century Oncology complied.
“The fact that many of these breaches are reported by the FBI, rather than discovered by the company that holds the data, speaks to the heart of the problem – many organizations do not have sufficient technical expertise and capabilities in place to protect data and respond in a timely manner in the event of a breach,” Chenxi Wang, chief strategy officer for Twistlock, said in comments emailed to SCMagazine.com. “This is becoming an increasingly pressing problem for the entire industry.”
The clinic said, so far, the stolen data hasn't been used in fraudulent activity. “We have no indication that the information has been misused in any way; however, out of an abundance of caution, we are notifying the affected patients,” the company said, noting that the third-party apparently didn't tap into medical records.
But such information is of premium value to cyberthieves. “Any business, organization or institution that keeps social security numbers, medical data and other personal information online is a potential goldmine for the cybercriminal because they can get a massive amount of valuable information in a very short period of time,” Paul Jespersen, vice president of Enterprise Business Development at Comodo, said in comments emailed to SCMagazine.com. “Hospitals, medical practices, schools and even governments are at particular risk due to the high likelihood of handling private data that criminals would find attractive.”
The breach is a reminder “that data security is not limited to the processing of payments and credit cards,” said Watson. “Businesses of all kinds and across all industries, must act to protect sensitive information stored in their systems using ongoing efforts, not simple, ‘fix it and forget it' methods.”
He called for “a broad understanding that in order to be truly protected, enterprises must become proactive in securing network access, encrypting data and auditing security methods on a regular basis.”
The cancer clinic, in its statement, urged patients to “regularly review the explanation of benefits that they receive from their health insurer” and report “any services they did not receive.”
Update: A new press release from 21st Century Oncology's law firm stated that 2.2 million current and former patients may have had their information exposed by the breach.